Point-of-sale systems are rich targets for attackers, given their status as a gateway to credit card information, customer and back-office data and other goodies.

A recently patched vulnerability in Oracle’s MICROS POS system software can lead to attackers gaining full access to the systems, say researchers.

The vulnerability (CVE-2018-2636) has a CVSS v3.0 base score of 8.1. Specifically, it targets the Simphony POS software suite, which provides both back-office and customer-facing applications that run on fixed and mobile devices. It is widely used in the restaurant and hotel industries. Affected versions include 2.7, 2.8 and the most recent version 2.9, released in October 2016.

The vulnerability is “difficult to exploit” but allows an attacker to compromise the applications over HTTP without the need for authentication, Oracle said in documentation for the recent patch update. Successful attacks “can result in takeover” of a Simphony system, it added.

In a blog post, ERPScan provided more detail, saying that an attacker could take advantage of a directory traversal vulnerability in MICROS EGateway Application Service.

“In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.,” the company said. “So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data.”

Using a Shodan search, ERPScan found 170 Micros POS systems exposed on the internet. That’s a tiny fraction of the total MICROS system landscape, as the systems are deployed at more than 330,000 sites worldwide.

But hackers could also make an in-store visit, find a public device–such as a digital scale for weighing produce or other goods–that uses an RJ45 ethernet jack to connect to the store’s network, plug it into a Raspberry Pi and scan the internal network that way, ERPscan said. “That is where they [can] easily discover a POS system,” the researchers wrote. “Remember this fact when you pop into a store.”

There’s no word on whether any MICROS systems have been breached by the recently patched vulnerability, but it is likely still present in many of them. ERPScan has released a script on Github that MICROS sysadmins can use to check if their environments are vulnerable.

Should a successful breach occur, it will not be the first time for MICROS . In August 2016, Oracle reported that it had discovered malicious code on “some legacy MICROS systems” and told all customers to reset their passwords.

The attackers managed to place malware on a MICROS support server, which was then able to snatch customers usernames and passwords, Krebs on Security reported at the time. They were apparently associated with the Carbanak gang, which is part of a Russia-based cybercrime group suspected of stealing $1 billion from banks.

More recently, fashion retailer Forever 21 confirmed that hackers had managed to install malware on a number of its POS terminals, allowing them to steal customer credit card data. The malware was present on some of Forever 21’s systems for nearly eight months during 2017, the company said.

POS attacks may mount further going forward, simply because a fast-growing attack surface will give cybercriminals more opportunities to exploit systems.

For example, the retail and hospitality world is increasingly rolling self-service kiosks in response to customer expectations as well as the bottom line. McDonald’s began installing self-service ordering at all 14,000 U.S. locations beginning in 2016, and the move has been credited with helping it shore up previously flagging sales.

“Point-of-sale terminals are elements that an average person deals with regularly in everyday life,” ERPScan said, adding, “It makes this sphere especially important and encourages paying extra attention and taking necessary security measures.”

-K Ramanathan ram@justransact.com

No Comments Yet

Subscribe to comments feed

Leave a Reply

Your email address will not be published. Required fields are marked *

DISCLAIMERS

1) Justransact aims at reaching out all the quality hardware & software products as listed in the portal to the benefit of its esteemed users. In this endeavor, if any Manufacturer/Authorized Distributor/Software vendor/Solution provider or any entity directly related to these products in a responsible capacity have any objection to the Product/Content/Pricing/Collaterals (Brochure/Video) & any other aspect, kindly represent the same in writing to us at redressal@justransact.com for necessary action thereon.

2) Justransact has provided all the Information/Pricing/Content/Collaterals (Brochure/Video) in the portal with all necessary diligence & utmost care. However if the information provided still does not fulfill these requisites in any form/lacks credibility or misleading in any way to our users or stakeholders, we would request you to share such information in writing to us at redressal@justransact.com for necessary correction/changes as may be required. However Justransact does not take any responsibility for any result arising out of this inadvertent error.

4) The Warranty & After sales service for the Hardware & software products listed in Justransact would be provided by the respective Manufacturer/Company authorized Partner in India only as per their standard norms. Accordingly the Warranty/After sales service period, policies, terms & conditions of all products listed vary from each Brand/Manufacturer/Company authorized partner as the case may be. Kindly verify the same with us before placing your order to avoid any confusion arising out of this on a later stage.